Shorewall users - Jan 2002 - Portforwarding didn''t work

Hi

we still configure the shorewall and it is nearly done. but there is a
problem.
we try to connect from a computer in the internet to a database in our
local net. we used the example with SAM from the documentation. and
configured the computer as DMZ.

Here is the configuration
zones:
dmz =A0 =A0 DMZ =A0 =A0 =A0 =A0 =A0 =A0 Demilitarized zone
net =A0 =A0 Net =A0 =A0 =A0 =A0 =A0 =A0 Internet
loc =A0 =A0 Local =A0 =A0 =A0 =A0 =A0 Local networks

interfaces:
loc =A0 =A0 eth1 =A0 =A0 =A0 =A0 =A0 =A0193.100.201.255
- =A0 =A0 =A0 eth0 =A0 =A0 =A0 =A0 =A0 =A062.159.230.95 =A0 noping

hosts
dmz =A0 =A0 =A0 =A0 =A0 =A0 eth0:62.159.230.82
net =A0 =A0 =A0 =A0 =A0 =A0 eth0:0.0.0.0/0

policy:
#CLIENT =A0 =A0 =A0 =A0 SERVER =A0 =A0 =A0 =A0 =A0POLICY =A0 =A0 =A0 =A0 =A0LOG
LEVEL
loc =A0 =A0 =A0 =A0 =A0 =A0 net =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
loc =A0 =A0 =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
dmz =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 CONTINUE
net =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 DROP =A0 =A0 =A0 =A0 =A0
=A0info
all =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 REJECT =A0 =A0 =A0 =A0
=A0info

rules:
#Squid
ACCEPT =A0 =A0 =A0 =A0 =A0loc =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp =A0 =A0
8080 =A0 =A0- =A0 =A0 =A0 all
ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0net =A0 =A0 =A0 =A0 =A0 tcp =A0 =A0
www,443
ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0dmz =A0 =A0 =A0 =A0 =A0 tcp =A0 =A0
www,443
ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc:193.100.201.116 udp =A0 =A0 53
=A0 =A0 =A0- =A0 =A0 =A0 all
#Sendmail
ACCEPT =A0 =A0 =A0 =A0 =A0net =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp =A0 =A0
smtp
ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc:193.100.201.2 =A0 tcp smtp
#DB
ACCEPT =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0loc:193.100.201.111 tcp 1521,1526 - all
#ACCEPT =A0 =A0 =A0 =A0 =A0dmz =A0 =A0 =A0loc:193.100.201.61 tcp ssh =A0 =A0 -
all

on the firewall runs a squid and an sendmail und it works.

But with the rules for DB =A0there is no way for a connect to the DB.
Whithout the rule for the DB is an error in the logfile (all2all:REJECT)
and thats ok. But whith the rule activated there is nothing in the log.
Is this a problem of the configuration of the =A0firewall or is this a Linux
problem?????
The firewall runs on a SUSE 7.3 without any Patch

Any idea???
sorry for my bad english
best regards

Stefan Buchwald

Stuttgart, Germany
=

I noticed the same behavior (no logfile entry) when I defined my lan zone in
the hosts file.  A linux box trying to get dhcp info from the server running
on my firewall box would simply time out with no reply from the server and
no log showing it had even tried.  I removed the definition in the hosts
file and it works fine.  A windows system would succeed though, since they
apparently cache their last successful ip address (established before I
installed shorewall).  This probably doesn''t help you, but I thought I
would
mention it.

Sincerely,
Jim Hubbard
E-mail: jimh@dyersinc.com

  Visit us online at www.dyersinc.com

  _____




> -----Original Message-----
> From: shorewall-users-admin@shorewall.net
> [mailto:shorewall-users-admin@shorewall.net]On Behalf Of
> stefan.buchwald@twt-gmbh.de
> Sent: Wednesday, January 23, 2002 1:10 PM
> To: shorewall-users@shorewall.net
> Subject: [Shorewall-users] Portforwarding didn''t work
>
> hosts
> dmz             eth0:62.159.230.82
> net             eth0:0.0.0.0/0
>
> Whithout the rule for the DB is an error in the logfile (all2all:REJECT)
> and thats ok. But whith the rule activated there is nothing in the log.
> Is this a problem of the configuration of the  firewall or is this a Linux
> problem?????

On Wednesday 23 January 2002 10:09 am, stefan.buchwald@twt-gmbh.de
wrote:
> Hi
>
> we still configure the shorewall and it is nearly done. but there is a
> problem.
> we try to connect from a computer in the internet to a database in our
> local net. we used the example with SAM from the documentation. and
> configured the computer as DMZ.
>
> Here is the configuration
> zones:
> dmz =A0 =A0 DMZ =A0 =A0 =A0 =A0 =A0 =A0 Demilitarized zone
> net =A0 =A0 Net =A0 =A0 =A0 =A0 =A0 =A0 Internet
> loc =A0 =A0 Local =A0 =A0 =A0 =A0 =A0 Local networks
>
> interfaces:
> loc =A0 =A0 eth1 =A0 =A0 =A0 =A0 =A0 =A0193.100.201.255
> - =A0 =A0 =A0 eth0 =A0 =A0 =A0 =A0 =A0 =A062.159.230.95 =A0 noping
>
> hosts
> dmz =A0 =A0 =A0 =A0 =A0 =A0 eth0:62.159.230.82
> net =A0 =A0 =A0 =A0 =A0 =A0 eth0:0.0.0.0/0
>
> policy:
> #CLIENT =A0 =A0 =A0 =A0 SERVER =A0 =A0 =A0 =A0 =A0POLICY =A0 =A0 =A0 =A0
=A0LOG LEVEL
> loc =A0 =A0 =A0 =A0 =A0 =A0 net =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
> loc =A0 =A0 =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
> dmz =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 CONTINUE
> net =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 DROP =A0 =A0 =A0
=A0 =A0 =A0info
> all =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 REJECT =A0 =A0 =A0
=A0 =A0info
>
> rules:
> #Squid
> ACCEPT =A0 =A0 =A0 =A0 =A0loc =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp =A0
=A0 8080 =A0 =A0- =A0 =A0 =A0 all
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0net =A0 =A0 =A0 =A0 =A0 tcp =A0
=A0 www,443
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0dmz =A0 =A0 =A0 =A0 =A0 tcp =A0
=A0 www,443
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc:193.100.201.116 udp =A0 =A0
53 =A0 =A0 =A0- =A0 =A0 =A0 all
> #Sendmail
> ACCEPT =A0 =A0 =A0 =A0 =A0net =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp =A0
=A0 smtp
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc:193.100.201.2 =A0 tcp smtp
> #DB
> ACCEPT =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0loc:193.100.201.111 tcp 1521,1526 -
all
> #ACCEPT =A0 =A0 =A0 =A0 =A0dmz =A0 =A0 =A0loc:193.100.201.61 tcp ssh =A0
=A0 - all
>
> on the firewall runs a squid and an sendmail und it works.
>
> But with the rules for DB =A0there is no way for a connect to the DB.
> Whithout the rule for the DB is an error in the logfile (all2all:REJECT)
> and thats ok. But whith the rule activated there is nothing in the log.
> Is this a problem of the configuration of the =A0firewall or is this a
Linux
> problem?????
Are you using NAT or Masquerading in this setup?

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Wednesday 23 January 2002 01:21 pm, Jim Hubbard
wrote:
> I noticed the same behavior (no logfile entry) when I defined my lan zone
> in the hosts file.  A linux box trying to get dhcp info from the server
> running on my firewall box would simply time out with no reply from the
> server and no log showing it had even tried.  I removed the definition in
> the hosts file and it works fine.  A windows system would succeed though,
> since they apparently cache their last successful ip address (established
> before I installed shorewall).  This probably doesn''t help you,
but I
> thought I would mention it.
Did you specify "dhcp" in the interface''s entry in
/etc/shorewall interfaces?=20
If not, you will see the behavior you describe.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Wednesday, January 23, 2002 4:33 PM
> To: jimh@dyersinc.com; shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] Portforwarding didn''t work
>
>
> Did you specify "dhcp" in the interface''s entry in
/etc/shorewall
> interfaces?
> If not, you will see the behavior you describe.
>
Ya know, I should try reading documentation while sober some day.  My
"learn
by failure" approach really sucks.

Thanks,
Jim Hubbard

Hallo Tom,
>Are you using NAT or Masquerading in this setup?
I use Masquerading with the following setting in the masq file

eth1 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0193.100.201.0/24
cu
Stefan
|------------------------+------------------------+------------------------|
|                        |   Tom Eastep           |                        |
|                        |   <teastep@shorewall.ne|   =A0 =A0 =A0 =A0 To:    
|
|                        |   t>                   |   stefan.buchwald@twt-g|
|                        |   Sent by:             |   mbh.de,              |
|                        |   shorewall-users-admin|   shorewall-users@shore|
|                        |   @shorewall.net       |   wall.net             |
|                        |                        |   =A0 =A0 =A0 =A0 cc:       
|
|                        |   23.01.2002 22:31     |   =A0 =A0 =A0 =A0 Subject:  
|
|                        |                        |   Re: [Shorewall-users]|
|                        |                        |   Portforwarding
didn''t|
|                        |                        |   work                 |
|------------------------+------------------------+------------------------|






On Wednesday 23 January 2002 10:09 am, stefan.buchwald@twt-gmbh.de
wrote:
> Hi
>
> we still configure the shorewall and it is nearly done. but there is a
> problem.
> we try to connect from a computer in the internet to a database in our
> local net. we used the example with SAM from the documentation. and
> configured the computer as DMZ.
>
> Here is the configuration
> zones:
> dmz =A0 =A0 DMZ =A0 =A0 =A0 =A0 =A0 =A0 Demilitarized zone
> net =A0 =A0 Net =A0 =A0 =A0 =A0 =A0 =A0 Internet
> loc =A0 =A0 Local =A0 =A0 =A0 =A0 =A0 Local networks
>
> interfaces:
> loc =A0 =A0 eth1 =A0 =A0 =A0 =A0 =A0 =A0193.100.201.255
> - =A0 =A0 =A0 eth0 =A0 =A0 =A0 =A0 =A0 =A062.159.230.95 =A0 noping
>
> hosts
> dmz =A0 =A0 =A0 =A0 =A0 =A0 eth0:62.159.230.82
> net =A0 =A0 =A0 =A0 =A0 =A0 eth0:0.0.0.0/0
>
> policy:
> #CLIENT =A0 =A0 =A0 =A0 SERVER =A0 =A0 =A0 =A0 =A0POLICY =A0 =A0 =A0 =A0
=A0LOG LEVEL
> loc =A0 =A0 =A0 =A0 =A0 =A0 net =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
> loc =A0 =A0 =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
> dmz =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 CONTINUE
> net =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 DROP =A0 =A0 =A0
=A0 =A0 =A0info
> all =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 REJECT =A0 =A0 =A0
=A0 =A0info
>
> rules:
> #Squid
> ACCEPT =A0 =A0 =A0 =A0 =A0loc =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp =A0
=A0 8080 =A0 =A0- =A0 =A0 =A0 all
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0net =A0 =A0 =A0 =A0 =A0 tcp =A0
=A0 www,443
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0dmz =A0 =A0 =A0 =A0 =A0 tcp =A0
=A0 www,443
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc:193.100.201.116 udp =A0 =A0
53 =A0 =A0 =A0- =A0 =A0 =A0 all
> #Sendmail
> ACCEPT =A0 =A0 =A0 =A0 =A0net =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp =A0
=A0 smtp
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc:193.100.201.2 =A0 tcp smtp
> #DB
> ACCEPT =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0loc:193.100.201.111 tcp 1521,1526 -
all
> #ACCEPT =A0 =A0 =A0 =A0 =A0dmz =A0 =A0 =A0loc:193.100.201.61 tcp ssh =A0
=A0 - all
>
> on the firewall runs a squid and an sendmail und it works.
>
> But with the rules for DB =A0there is no way for a connect to the DB.
> Whithout the rule for the DB is an error in the logfile (all2all:REJECT)
> and thats ok. But whith the rule activated there is nothing in the log.
> Is this a problem of the configuration of the =A0firewall or is this a
Linux
> problem?????
Are you using NAT or Masquerading in this setup?

-Tom
--
Tom Eastep =A0 =A0\ A Firewall for Linux 2.4.*
AIM: tmeastep =A0\ http://www.shorewall.net
ICQ: #60745924 =A0\ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

=

Hallo Tom
sorry =A0the line in the masq file is eth0 =A0 =A0 193.100.201.0/24
and not eth1 as send in the email before.
In the nat file nothing is configured

sorry
Stefan




Hallo Tom,
>Are you using NAT or Masquerading in this setup?
I use Masquerading with the following setting in the masq file

eth1 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0193.100.201.0/24
cu
Stefan

On Wednesday 23 January 2002 10:09 am, stefan.buchwald@twt-gmbh.de
wrote:
> Hi
>
> we still configure the shorewall and it is nearly done. but there is a
> problem.
> we try to connect from a computer in the internet to a database in our
> local net. we used the example with SAM from the documentation. and
> configured the computer as DMZ.
>
> Here is the configuration
> zones:
> dmz =A0 =A0 DMZ =A0 =A0 =A0 =A0 =A0 =A0 Demilitarized zone
> net =A0 =A0 Net =A0 =A0 =A0 =A0 =A0 =A0 Internet
> loc =A0 =A0 Local =A0 =A0 =A0 =A0 =A0 Local networks
>
> interfaces:
> loc =A0 =A0 eth1 =A0 =A0 =A0 =A0 =A0 =A0193.100.201.255
> - =A0 =A0 =A0 eth0 =A0 =A0 =A0 =A0 =A0 =A062.159.230.95 =A0 noping
>
> hosts
> dmz =A0 =A0 =A0 =A0 =A0 =A0 eth0:62.159.230.82
> net =A0 =A0 =A0 =A0 =A0 =A0 eth0:0.0.0.0/0
>
> policy:
> #CLIENT =A0 =A0 =A0 =A0 SERVER =A0 =A0 =A0 =A0 =A0POLICY =A0 =A0 =A0 =A0
=A0LOG LEVEL
> loc =A0 =A0 =A0 =A0 =A0 =A0 net =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
> loc =A0 =A0 =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
> dmz =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 CONTINUE
> net =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 DROP =A0 =A0 =A0
=A0 =A0 =A0info
> all =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 REJECT =A0 =A0 =A0
=A0 =A0info
>
> rules:
> #Squid
> ACCEPT =A0 =A0 =A0 =A0 =A0loc =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp =A0
=A0 8080 =A0 =A0- =A0 =A0 =A0 all
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0net =A0 =A0 =A0 =A0 =A0 tcp =A0
=A0 www,443
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0dmz =A0 =A0 =A0 =A0 =A0 tcp =A0
=A0 www,443
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc:193.100.201.116 udp =A0 =A0
53 =A0 =A0 =A0- =A0 =A0 =A0 all
> #Sendmail
> ACCEPT =A0 =A0 =A0 =A0 =A0net =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp =A0
=A0 smtp
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc:193.100.201.2 =A0 tcp smtp
> #DB
> ACCEPT =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0loc:193.100.201.111 tcp 1521,1526 -
all
> #ACCEPT =A0 =A0 =A0 =A0 =A0dmz =A0 =A0 =A0loc:193.100.201.61 tcp ssh =A0
=A0 - all
>
> on the firewall runs a squid and an sendmail und it works.
>
> But with the rules for DB =A0there is no way for a connect to the DB.
> Whithout the rule for the DB is an error in the logfile (all2all:REJECT)
> and thats ok. But whith the rule activated there is nothing in the log.
> Is this a problem of the configuration of the =A0firewall or is this a
Linux
> problem?????
Are you using NAT or Masquerading in this setup?

=

On Thursday 24 January 2002 02:20 am, stefan.buchwald@twt-gmbh.de
wrote:
> Hallo Tom
> sorry =A0the line in the masq file is eth0 =A0 =A0 193.100.201.0/24
> and not eth1 as send in the email before.
> In the nat file nothing is configured
>
Then your Shorewall setup appears correct, assuming that you want to forward=20
TCP ports 1521 and 1526 to system 193.100.201.111. I suggest that you look at=20
the traffic on both sides of the firewall with tcpdump or ethereal to try to=20
see what is going wrong.=20

Do you know for sure that the DB application works through NAT?=20

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

1521 Hmm.. That''s the TNS listener 8.x on Oracle.


It won''t work.

The way that Oracle works with the TNS listener, is a bit like a 2 tier
system.

When SQL*NET establishes a connection to the remote host at port 1521,
the TNS listener will dispatch an oracle process on a random port, and
then returns a string to your SQL*NET that looks something in the line
of (HOST=3D<the ip of the oracle host and not the firewall> PORT=3D<the
port
of the oracle host>).

So, if you''re on the public network (say, the internet) and your
SQL*NET
received the message to connect to a non-routable IP. Well, unless you
have a VPN connection, you''re going nowhere.

My suggestion, make a vpn connection, or use Oracle connection manager
for Linux (I never tried oracle connection manager, but I know it exists
to bypass firewalls).=20

-----Original Message-----
From: shorewall-users-admin@shorewall.net
[mailto:shorewall-users-admin@shorewall.net] On Behalf Of Tom Eastep
Sent: January 24, 2002 9:23 AM
To: stefan.buchwald@twt-gmbh.de; shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Portforwarding didn''t work

On Thursday 24 January 2002 02:20 am, stefan.buchwald@twt-gmbh.de
wrote:
> Hallo Tom
> sorry =A0the line in the masq file is eth0 =A0 =A0 193.100.201.0/24
> and not eth1 as send in the email before.
> In the nat file nothing is configured
>
Then your Shorewall setup appears correct, assuming that you want to
forward=20
TCP ports 1521 and 1526 to system 193.100.201.111. I suggest that you
look at=20
the traffic on both sides of the firewall with tcpdump or ethereal to
try to=20
see what is going wrong.=20

Do you know for sure that the DB application works through NAT?=20

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

Hallo Kristopher,
thank you for your mail. Yes it is the Oracle TNS listener and in the
default settings it works as you described. But you can configer the
listener to use only one port. This worked with our "old Seawall"
fine. So I think I have to look at the traffic to see what''s going
wrong.

cu
Stefan
|------------------------+------------------------+------------------------|
|                        |   "Kristopher Lalletti"|                   
|
|                        |   <kris@eclipseci.com> |   =A0 =A0 =A0 =A0 To: 
|
|                        |                        |   "''Tom
Eastep''"       |
|                        |   24.01.2002 15:32     |   <teastep@shorewall.ne|
|                        |                        |   t>,                  |
|                        |                        |   <stefan.buchwald@twt-|
|                        |                        |   gmbh.de>,            |
|                        |                        |   <shorewall-users@shor|
|                        |                        |   ewall.net>           |
|                        |                        |   =A0 =A0 =A0 =A0 cc:       
|
|                        |                        |   =A0 =A0 =A0 =A0 Subject:  
|
|                        |                        |   RE: [Shorewall-users]|
|                        |                        |   Portforwarding
didn''t|
|                        |                        |   work                 |
|------------------------+------------------------+------------------------|






1521 Hmm.. That''s the TNS listener 8.x on Oracle.


It won''t work.

The way that Oracle works with the TNS listener, is a bit like a 2 tier
system.

When SQL*NET establishes a connection to the remote host at port 1521,
the TNS listener will dispatch an oracle process on a random port, and
then returns a string to your SQL*NET that looks something in the line
of (HOST=3D<the ip of the oracle host and not the firewall> PORT=3D<the
port
of the oracle host>).

So, if you''re on the public network (say, the internet) and your
SQL*NET
received the message to connect to a non-routable IP. Well, unless you
have a VPN connection, you''re going nowhere.

My suggestion, make a vpn connection, or use Oracle connection manager
for Linux (I never tried oracle connection manager, but I know it exists
to bypass firewalls).

-----Original Message-----
From: shorewall-users-admin@shorewall.net
[mailto:shorewall-users-admin@shorewall.net] On Behalf Of Tom Eastep
Sent: January 24, 2002 9:23 AM
To: stefan.buchwald@twt-gmbh.de; shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Portforwarding didn''t work

On Thursday 24 January 2002 02:20 am, stefan.buchwald@twt-gmbh.de
wrote:
> Hallo Tom
> sorry =A0the line in the masq file is eth0 =A0 =A0 193.100.201.0/24
> and not eth1 as send in the email before.
> In the nat file nothing is configured
>
Then your Shorewall setup appears correct, assuming that you want to
forward
TCP ports 1521 and 1526 to system 193.100.201.111. I suggest that you
look at
the traffic on both sides of the firewall with tcpdump or ethereal to
try to
see what is going wrong.

Do you know for sure that the DB application works through NAT?

-Tom
--
Tom Eastep =A0 =A0\ A Firewall for Linux 2.4.*
AIM: tmeastep =A0\ http://www.shorewall.net
ICQ: #60745924 =A0\ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users


=